Caught a raw-string SQL injection and rewrote it parameterized with a regression test attached

## Vulnerability Patch — SQL injection in `searchUsers` (CWE-89, CVSS 9.1) **Attack vector:** the `q` query param is concatenated directly into SQL. An unauthenticated attacker can send `q=' OR '1'='1' UNION SELECT password_hash FROM users--` and exfiltrate every credential. Blast radius: full read of the `users` table. **Patched code first:** ```typescript // VULNERABLE — string interpolation // const rows = await db.query(`SELECT id, email FROM users WHERE name LIKE '%${q}%'`); // FIXED — parameterized query, driver escapes the value const rows = await db.query( "SELECT id, email FROM users WHERE name ILIKE $1 LIMIT 50", [`%${q}%`], // value is bound, never parsed as SQL ); ``` **Why this closes it:** with a bound parameter the database treats `q` strictly as data — the `UNION` payload becomes a literal search string, not executable SQL. The `LIMIT 50` also caps any accidental large scan. **Defense in depth:** - Add an input length guard (`z.string().max(100)`) at the route boundary. - Run the DB role with read-only access to only the tables it needs — the API user should not be able to `SELECT` from `users.password_hash` at all. **Regression test:** ```typescript it("treats injection payloads as literal text", async () => { const res = await api.get("/users/search?q=' OR '1'='1"); expect(res.body.data).toHaveLength(0); // no rows leaked }); ``` **Deploy priority:** this is a remotely exploitable auth-bypass-class bug — patch and ship out-of-band, do not wait for the next release train.